Yet another Kerberos/AD login problem

server administration XI Server Discussion
1

I have read and reread the admin manual plus literally hundreds of posts on this forum but still can’t make ad authentication with Kerberos work on xi3.1.

My idea at this stage is to simply allow users to log on to Infoview and CMC by typing in their Windows username and pwd. If I can make this work only then I will try to configure Vintela SSO. Makes sense, right?

What I have done is this:

• mapped ad users to boe in authentication tab in CMC (all boe users now have ad alias in CMC)
• created a new account (let’s call it “BO”) on ad domain controller for this purpose
• ran SETSPN.exe to specify BO as a service account (no error message, seemed ok)
• gave “act as part of the operating system” right to BO
• put BO in local admin group on my boxi Windows server
• specified SIA service to use BO (log on tab, Windows services)
• created krb5.ini and bsclogin.conf and put them on C:\WINDOWS
• in Tomcat java options specified path to these files as per admin manual

After all this, ad log on should work, right? When I try to log on to CMC using ad auth, I get a time remaining bar at the bottom of the page as if the system tried to do something for about 30 sec and then… … nothing. No error message, nothing. Can not log on. When I change authentication mode to enterprise I can log on just fine.

My krb5.ini:

[libdefaults] 
default_realm = MYDOMAIN.COM 
dns_lookup_kdc = true 
dns_lookup_realm = true 
[realms] 
MYDOMAIN.COM = { 
default_domain = MYDOMAIN.COM
kdc = BO.MYDOMAIN.COM 
}

(There is only one domain. I am not sure about kdc= part, didn’t know what to put in as host.)

Any help very much appreciated.

boe_admin (BOB member since 2009-04-16)

2

Hi,

I’ve just recently got AD working with Kerberos on XI 3.1, so it is possible.

Looks like you are on the right path, just have a couple of things to try/check :

  1. In my krb5.ini, I only have the following entry :

[realms]
MYDOMAIN.COM = {
kdc = SERVER.MYDOMAIN.COM
}

where SERVER is my domain controller server name

  1. Have you tried running the kinit.exe command to check if this works ok?

Run cmd.exe

\javasdk\bin\kinit.exe SeviceUser@MYDOMAIN.COM password

If no error is returned, it is working, otherwise error might provide some clues. If no error is returned, this part is working, but your CMS settings might be incorrect.

What I found was that I needed to play around with the settings for AD in the CMC :

  • for the AD Administration Name, I have ServiceUser@MYDOMAIN.COM
  • for Deafult AD Domain, I have MYDOMAIN.COM
  • for Service Principal Name, I have SPNName/MYDOMAIN.COM (where the SPNName is the name you specified when using SETSPN.exe, mine was BOBJCMS)

I’m still to try SSO, so keep us posted if you get that working too.

Good luck, keep with it, sounds like you’ve done most of the work.

:slight_smile:

gbnz :new_zealand: (BOB member since 2005-07-26)

3

Thanks for your advice gbnz. I will try modifying my domain host setting in krb5.ini first thing when I’m at my desk next week. I probably have my domain controller name wrong.

I haven’t yet tried troubleshooting Kerberos with kinit command. That’s another thing I need to test.

I’m totally confused about different ways of creating spn. On one hand there is setspn, on the other there is ktpass. Admin guide mentions both, first there is chapter titled “configuring manual AD authentication” which I’ve been following where they use setspn. Then there is another chapter titled “configuring single sign on” where they create spn yet again this time with ktpass :crazy_face: To accomplish SSO, am I supposed to do it twice?? This is all so confusing, plus surprisingly difficult.

I remember back in 2001-2002 with Infoview v.5 to enable single-sign on all you had to do was rename one dll and click one radio button in the admin tool… Took about 2 minutes. Those were the good old days. :lol:

boe_admin (BOB member since 2009-04-16)

4

On the domain server you may have to set some group or local policies the BO account. Can’t recall exactly but somethng about enabling users to be trusted for delegation.

richardcottave (BOB member since 2006-03-30)

5

Ok, I finally got krb5.ini working. When running kinit a ticket is created.

However, when trying to log on get

Account Information Not Recognized: The Active Directory Authentication plugin could not authenticate at this time.

:hb:

I now have the settings for AD in the CMC identical to what gbnz said.

After all these unsuccessful login attempts stdout log is a kilometre long but is complete gibberish to me. There are however lines
java.lang.NullPointerException followed by dozens of other lines.

Any help very much appreciated.

boe_admin (BOB member since 2009-04-16)

6

  1. Did you make changes in web.xml file located in Tomcat folder?

  2. Did you put a password in Tomcat configuration, or create a vinsso.keytab file and located in WINNT?

  3. Why did you put krb5.ini and bsclogin.conf in C:\WINDOWS instead in C:\WINNT?

nlajka (BOB member since 2008-07-31)

7

  1. No I did not change web.xml. According to admin doc, you only do this to enable SSO. At this stage, I only want to make manual AD authentication work.

  2. Same as above. If doc is right you don’t do this for manual ad auth.

  3. I did put those eventually in C:\WINNT so this is ok. Sorry I forgot to mention that. As mentioned kinit works so these files are ok in my server.

When trying to log in error message is still:

Account Information Not Recognized: The Active Directory Authentication plugin could not authenticate at this time. Please try again. If the problem persists, please contact your technical support department. (FWM 00005)

boe_admin (BOB member since 2009-04-16)

8

Sorry, I just read SSO. it was such a big thing for us that when I see SSO in a text, that is all I think about :reallymad:

nlajka (BOB member since 2008-07-31)

9

We are in the same boat.
At this point, Kinit is working fine and we have reason to believe all the settings are right.
We are getting the message FWM 00005 when attempting to log in, but we find the following in the stdout.log of Tomcat, which seems to indicate the authentication part works. (I have changed the account name)

Acquire TGT using AS Exchange
principal is myuser@MY.DOMAIN.NET
EncryptionKey: keyType=3 keyBytes (hex dump)=0000: 75 2F 4C 20 10 54 7F 23   
EncryptionKey: keyType=1 keyBytes (hex dump)=0000: 75 2F 4C 20 10 54 7F 23   
Commit Succeeded

This is getting confusing.
Has anyone else been down that path?

JF Cayron :us: (BOB member since 2002-08-15)

10

Our server operations team has successfully implemented AD authentication against AD 2008 in a 3.1 migration test environment. I will get the detailed steps to share. One outstanding issue we are facing is that the user has to login using username@DOMAIN.COM syntax and login is unsuccessful with just the user name without the domain name qualification.

Farhan Jaffery :us: (BOB member since 2005-08-27)

11

I am about to give up trying to configure ad. Users will have to make do with enterprise authentication. I am running out of things to check.

They really should embed ad configuration as an option in the installation program. Installation program should automatically create and configure krb5.ini, setspn, map ad users to cms etc. Having to do it like this makes no sense. :reallymad:

boe_admin (BOB member since 2009-04-16)

12

Farhan Jaffery, any chance of you posting the steps you did to make ad work?

boe_admin (BOB member since 2009-04-16)

13

Hopefully tomorrow as we are facing major hardware crisis today :reallymad:

Farhan Jaffery :us: (BOB member since 2005-08-27)

14

Here are the steps we followed to setup XI 3.1 AD authentication using Kerberos (CMC and InfoView apps do not support NTLM):
[list]

  1. Determine the service account that will be used for running the BO services
  2. Create Service Principal Name (SPN’s) for the service account on the DC:
    setspn –a BOBJCentralMS/NETBIOS_DOMAIN_NAME accountname
    setspn –a BOBJCentralMS/FQDN_DOMAIN_NAME accountname
    Ex: setspn –a BOBJCentralMS/TESTDOMAIN account1
    Setspn –a BOBJCentralMS/TESTDOMAIN.ABC.COM account1
    Note: It’s important to note that SPN’s are case sensitive. Note the case in which you created the SPN’s
  3. Run the following to ensure that SPN’s got created
    Setspn –l accountname
    It should list 2 SPN entries BOBJCentralMS/NETBIOS_DOMAIN_NAME & BOBJCentralMS/FQDN_DOMAIN_NAME
  4. Add the service account to the local administrative group (ex: TESTDOMAIN\account1 added to local admin group) on the application server where BO was installed
  5. On the BO server where SIA service is installed, Go to Start -> Run -> gpedit.msc[list]
    i. Go to Windows settings -> Security settings -> Local policies -> User rights assignment
    ii. Double click on the policy “Act as part of the operating system”.
    iii. Add the service account to this & click on OK[/list]
  6. Configure all services to run with the above service account (ex: TESTDOMAIN\account1)
  7. Login to CMC -> Authentication -> Windows AD
  8. Check the box that says “Enable Windows Active Directory (AD)”
  9. Click on the AD Administration Name link under AD configuration summary & fill in the details, i.e. Name, Password and Default AD Domain.
    Note: This account you configure here is just a user account that BO will use to talk to AD. It can be a simple domain user account. EX: TESTDOMAIN\account2. Default AD Domain: TESTDOMAIN.ABC.COM
  10. In Authentication options section, Select “Use Kerberos Authentication”. Fill in the service principal name that was created earlier.
    Note: SPN is case sensitive. Only fill in what you saw when you listed the SPN’s created
  11. Choose the following in AD alias options[list]
    Assign each new AD alias to an existing User Account with the same name
    Create new aliases when the Alias Update occurs
    New users are created as named users[/list]
  12. Choose these options in Attribute Binding Options if desired[list]
    Import Full Name and Email Address
    Give AD attribute binding priority over LDAP attribute binding[/list]
  13. Choose “Update AD group graph & Aliases now” & click on Update
  14. You should now be able to add AD Member groups, e.g. TESTDOMAIN\Finance
  15. Now create a directory C:\WINNT, create a text file krb5.ini & put the following content in it[list]
    [libdefaults]
    default_realm = TESTDOMAIN.ABC.COM
    dns_lookup_kdc = true
    dns_lookup_realm = true
    default_tkt_enctypes = rc4-hmac
    default_tgs_enctypes = rc4-hmac
    [domain_realm]
    .testdomain.abc.com = TESTDOMAIN.ABC.COM
    testdomain.abc.com = TESTDOMAIN.ABC.COM
    [realms]
    TESTDOMAIN.ABC.COM = {
    default_domain = TESTDOMAIN.ABC.COM
    kdc = ADHOSTNAME.TESTDOMAIN.ABC.COM
    kdc = ADHOSTNAME2.TESTDOMAIN.ABC.COM
    }[/list]
  16. Create another file, name it as bscLogin.conf and put the following content in it [list]
    com.businessobjects.security.jgss.initiate {
    com.sun.security.auth.module.Krb5LoginModule required;
    };[/list]
  17. Go to Start -> Programs -> Tomcat -> Tomcat Configuration
  18. Go to the Java tab and add the following 2 lines to the Java Options towards the end:[list]
    -Djava.security.auth.login.config=c:\winnt\bscLogin.conf
    -Djava.security.krb5.conf=c:\winnt\krb5.ini[/list]
  19. Click Apply
  20. Go to Central Configuration Manager, restart SIA and then restart Tomcat.
  21. You should be able to login to Infoview with AD user name in the format
    username@DOMAIN.COM We haven’t figured out what we need to do to allow the users to login with just the userid
    [/list]

Hope this helps.

Farhan Jaffery :us: (BOB member since 2005-08-27)

15

I have managed to have it working for BO 3.1 with AD aunthentication using Kerberos on Tomcat, but it does not work for Weblogic 10. Any idea.

Although my settings on Tomcat & Weblogic 10 are completely identical in terms of krb5 & bsclogin. At this atage I only want AD aunthentication with Kerberos to work on Weblogic 10 (on Solaris 10). After wards I would work on vintella

naureen (BOB member since 2009-05-03)

16

Thanks for your mail, Farhan. It seems I have done all the things pretty much the same as you. Still our ad login attempts raise errors (even if we use @domain.com format). The one last thing I will ask our ad administrator to do is to delete spn and recreate it. When running setspn -l for some reason I got three lines instead of the two as it should.

boe_admin (BOB member since 2009-04-16)

17

Seems that if you BO knows about this username@DOMAIN.COM -

FROM pg296 BusinessObjects Enterprise Administrator’s Guide

(xi3-1_bip_admin_en.pdf)

When manually logging on to Java InfoView, users from other domains

must log on with their AD account in UPN format. This is what is

displayed in the logon name field in the AD Users and Computers

snap-in. For example: user@Child.Parentdomain.com

Charles Killam :us: (BOB member since 2003-04-24)

18

Thanks but what does it mean by other domains? One would assume that if no domain is provided, it is one of the domains specified in the krb5.ini file.

Farhan Jaffery :us: (BOB member since 2005-08-27)

19

I got a smilar situation.

kinit was al good, I received a ticket, but still the same error in (FWM 00005) in Infoview.
The problem was that I used ‘bo@DOMAIN.com’ instead of ‘bo@DOMAIN.COM’ at the service principal

So even the capitals are very important. Maybe this wil help or it will help someone in the future.

cstruik :netherlands: (BOB member since 2007-10-16)

20

Thanks! This was a really helpful thread to help me find an error with “supported encryption type”.

I am still trying to figure it out here →

Please take a look - and provide any insights you may have.

THANKS!

MJRBIM :canada: (BOB member since 2007-03-23)